It is desirable to apply and enforce policies on the management and use of electronic data. Policies can be used to support such goals as access control, compliance of financial reporting, data privacy, protection of intellectual property or sensitive data, protection from malware, etc.
Presently, systems and applications require very complex and costly data analysis and controls that are custom developed to a specific business process, law, regulation or requirement. Each application requires its own mechanism to control and protect data which is difficult if not impossible to apply to a second set of data or process.
Moreover, the mechanism for specifying the rules governing a particular data object is generally to associate the policy itself with the data object. This direct association between the policy and the data object makes it difficult to change the policy that governs a large class of similar objects (e.g., to change the policy governing all health records), since the policy would have to be changed for each object. It would be advantageous to have a level of abstraction that allows policies to be defined separately from the classification of data objects. (E.g., to define that a data object is a “health record,” and to separately define and/or change the policy that applies to health records.)